The recent sabotage directed at the Nord Stream pipeline, coupled with the escalating risks stemming from Russia’s war against Ukraine, has unquestionably thrust the resilience of critical entities into the spotlight of political discussions. Physical and cyber-attacks targeting critical entities undoubtedly undermine the security of the European Union (EU). Consequently, the European legislator approved a new legal framework enhancing EU’s resilience against physical and cyber threats.
The Evolution of Critical Infrastructure Protection in the European Union
In response to a series of devastating terrorist attacks – ranging from 9/11 in 2001, to the Madrid Train Bombings in 2004, and the 7/7 London bombings in 2005 – the EU took decisive steps to enhance its security. The European Programme for Critical Infrastructure Protection (EPCIP) was established in 2006, followed by the adoption of the European Critical Infrastructure Directive (ECI) in 2008. This directive set forth protective measures for individual assets or systems deemed critical by at least two Member States. A 2019 evaluation of the directive declared it insufficient to prevent disruptions, given the increasingly interdependent relationships within supply chains that exist among critical entities.
Thus, on 16 December 2020, the European Commission presented a proposal for a directive on the resilience of critical entities (CER) together with a directive on measures for a high common level of cybersecurity across the EU (NIS 2). Along with the Digital Operational Resilience Act (DORA) and the Foreign Direct Investment regulation (FDI), the European Union introduced a new legal framework that shifted focus from protection to resilience of critical infrastructures. In December 2022, the Council further advocated for the immediate adoption of measures and swift implementation of the directive through a Council Recommendation, emphasizing a Union-wide coordinated approach to strengthen the resilience of critical infrastructure.
The CER Directive: Resilience rather than protection
With the new CER directive, the European legislator deliberately broadens the scope of critical infrastructure protection. This is particularly evident in the use of the term“critical entities’ which encompasses a wider range of sectors. While the ECI directive initially defined only two sectors, namely Energy and Transport, the CER directive now defines 11 key sectors. These sectors include energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration, space and food. Furthermore, it proposes concrete resilience measures to face various threats such as natural hazards, terrorist attacks, insider threats, and sabotage. It also suggests conducting background checks on specific categories of personnel within critical entities.
Now, Member States must adopt a national strategy and carry out regular risk assessments to identify critical entities. The transposition of the directive and especially the designation of the competent authorities by the Member States promise to be compelling due to the multisectoral scope of the directive.
New Technology’s opportunities and risks for Critical Entities’ Resilience
When discussing the resilience of critical infrastructure, it’s essential to consider state-of-the-art technological measures alongside conventional organizational and physical measures. The recent sabotage of communication cables in France in October 2022 and the surveillance of energy infrastructure in Norway, the Netherlands, and Belgium by Russia highlight the urgent need to prioritize measures that enhance the ability of critical entities to withstand and recover from incidents. Consequently, the adoption of technological solutions such as artificial intelligence, digital twins, and the Internet of Things (IoT), holds the potential to identify measures that enhance the resilience of critical entities. These technologies enable risk analysis, real-time threat identification, simulations, and exercises empowering decision-makers with a range of options to assure resilience.
The use of a digital twin, defined by Gartner as “a digital representation of a real-world entity or system”, allows for the simulation of scenarios that are challenging to predict and manage, typically in stress tests. Additionally, IoT devices aid in the collection and correlation of crucial information, leading to better standardization and thereby more efficient resilience strategies. The predictive capabilities of artificial intelligence could further enhance the reliability of risk analysis and the efficiency of risk management.
The EU Horizon Europe Framework Programme has issued a call named “Resilient Infrastructure 2023”, which promotes the development of innovative projects in the domain of resilience for critical entities against cyber and non-cyber threats in specific sectors. Serving as a test bed for technological resilience tools, these projects aim to bolster cooperation, enhance situational awareness, and reduce risks by improving the preparedness of critical entities.
However, the use of these emerging technologies presents a significant risk and therefore necessitates the implementation of appropriate safeguards. The substantial volume of sensitive data required to train artificial intelligence and create a digital twin must be effectively protected against potential attacks. It’s unavoidable that cybercriminals, terrorists, and adversarial foreign states will attempt to exploit the potential damage caused by targeting these emerging technologies.
While the application of new technologies offers an opportunity to bolster the resilience of critical infrastructures, the yet unknown risks associated with their early adoption undoubtedly contribute to the challenges encountered by their operators.
M2 Cyberjustice – 2022/2023
DIRECTIVE (EU) 2022/2557 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC
Christer Pursiainen & Eero Kytömaa (2022) : From European critical infrastructure protection to the resilience of European critical entities: what does it mean? Sustainable and resilient infrastructure